WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
12355
Reproducible crash in WebCore::parseNumber in svg/custom/js-update-bounce.svg under guard-malloc
https://bugs.webkit.org/show_bug.cgi?id=12355
Summary
Reproducible crash in WebCore::parseNumber in svg/custom/js-update-bounce.svg...
Mark Rowe (bdash)
Reported
2007-01-21 18:05:08 PST
Steps to reproduce: run-webkit-tests --debug --guard-malloc svg/custom/js-update-bounce.svg Results: *boom* Notes: This crash happens occasionally running the layout tests at other times, though it's not easily reproduced without guard malloc. Crash log: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0xcd290000 0x0140cf62 in WebCore::parseNumber (ptr=@0xbfffdb8c, end=0xcd290000, number=@0xbfffdb90, skip=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGParserUtilities.cpp:63 63 if (ptr < end && *ptr == 'e' || *ptr == 'E') { // read the exponent part (gdb) bt #0 0x0140cf62 in WebCore::parseNumber (ptr=@0xbfffdb8c, end=0xcd290000, number=@0xbfffdb90, skip=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGParserUtilities.cpp:63 #1 0x0108f7f2 in WebCore::SVGLength::setValueAsString (this=0xbfffdc08, s=@0xcd299ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGLength.cpp:244 #2 0x0108f887 in WebCore::SVGLength::SVGLength (this=0xbfffdc08, context=0xcd263f28, mode=WebCore::LengthModeWidth, valueAsString=@0xcd299ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGLength.cpp:121 #3 0x010579a6 in WebCore::SVGCircleElement::parseMappedAttribute (this=0xcd263f28, attr=0xcd299fe4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGCircleElement.cpp:56 #4 0x0123ff35 in WebCore::StyledElement::attributeChanged (this=0xcd263f28, attr=0xcd299fe4, preserveDecls=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/StyledElement.cpp:178 #5 0x010b0928 in WebCore::SVGStyledElement::attributeChanged (this=0xcd263f28, attr=0xcd299fe4, preserveDecls=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGStyledElement.cpp:225 #6 0x0124539f in WebCore::NamedAttrMap::addAttribute (this=0xcd27dfd8, attribute=0xcd299fe4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/NamedAttrMap.cpp:287 #7 0x01248b1c in WebCore::Element::setAttribute (this=0xcd263f28, name=@0xbfffdd50, value=0xcd291fe8, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:398 #8 0x01248c4e in WebCore::Element::setAttributeNS (this=0xcd263f28, namespaceURI=@0xbfffddd0, qualifiedName=@0xbfffddcc, value=@0xbfffddd8, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:807 #9 0x0102b1c3 in handleElementAttributes (newElement=0xcd263f28, libxmlAttributes=0xccb42f24, nb_attributes=5, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:624 #10 0x0102e259 in WebCore::XMLTokenizer::startElementNs (this=0xcca2af78, xmlLocalName=0xccaf1c7d "circle", xmlPrefix=0x0, xmlURI=0xccaf1c5b "
http://www.w3.org/2000/svg
", nb_namespaces=0, libxmlNamespaces=0x0, nb_attributes=5, nb_defaulted=0, libxmlAttributes=0xccb42f24) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:669 #11 0x0102e6ab in startElementNsHandler (closure=0xccadbe48, localname=0xccaf1c7d "circle", prefix=0x0, uri=0xccaf1c5b "
http://www.w3.org/2000/svg
", nb_namespaces=0, namespaces=0x0, nb_attributes=5, nb_defaulted=0, libxmlAttributes=0xccb42f24) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:984 #12 0x9293aad5 in xmlParseStartTag () #13 0x9291a4df in xmlParseChunk () #14 0x0102b3c4 in WebCore::XMLTokenizer::write (this=0xcca2af78, s=@0xbfffe13c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:567 #15 0x013b3c51 in WebCore::FrameLoader::write (this=0xb9db6d38, str=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., len=1986, flush=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:882 #16 0x013b3d83 in WebCore::FrameLoader::addData (this=0xb9db6d38, bytes=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:1497 #17 0x010fc0a3 in -[WebCoreFrameBridge addData:] (self=0xb9d86fe4, _cmd=0x90a96118, data=0xca592fe0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:293 #18 0x010ff662 in -[WebCoreFrameBridge receivedData:textEncodingName:] (self=0xb9d86fe4, _cmd=0x90aba160, data=0xca592fe0, textEncodingName=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:1584 #19 0x0023203d in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0xca452ff4, _cmd=0x90aba180, data=0xca592fe0, dataSource=0xc7e25ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLRepresentation.mm:172 #20 0x0022d7d7 in -[WebDataSource(WebInternal) _receivedData:] (self=0xc7e25ff4, _cmd=0x90a830f8, data=0xca592fe0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebDataSource.mm:177 #21 0x00294091 in WebFrameLoaderClient::committedLoad (this=0xb9dacfb0, loader=Internal: static symbol `WebCore::DocumentLoader' found in /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp psymtab but not in symtab. WebCore::DocumentLoader may be an inlined function, or may be a template function (if a template, try specifying an instantiation: WebCore::DocumentLoader<type>). ) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebCoreSupport/WebFrameLoaderClient.mm:643 #22 0x013b07fb in WebCore::FrameLoader::committedLoad (this=0xb9db6d38, loader=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:2923 #23 0x013c0869 in WebCore::DocumentLoader::commitLoad (this=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp:327 #24 0x013c08c2 in WebCore::DocumentLoader::receivedData (this=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp:339 #25 0x013afc77 in WebCore::FrameLoader::receivedData (this=0xb9db6d38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:1888 #26 0x013c1aac in WebCore::MainResourceLoader::addData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/MainResourceLoader.cpp:134 #27 0x013c3971 in WebCore::ResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/ResourceLoader.cpp:194 #28 0x013c1de1 in WebCore::MainResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/MainResourceLoader.cpp:304 #29 0x013c35d8 in WebCore::ResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"
http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd
\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/ResourceLoader.cpp:306 #30 0x013a352a in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0xc8243ff4, _cmd=0x90a9d084, con=0xc824dff4, data=0xc8f1afec, lengthReceived=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/network/mac/ResourceHandleMac.mm:349 #31 0x9265bb86 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] () #32 0x92659e67 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] () #33 0x92659b41 in _sendCallbacks () #34 0x90829379 in CFRunLoopRunSpecific () #35 0x90828eb5 in CFRunLoopRunInMode () #36 0x9262adc6 in -[NSRunLoop runMode:beforeDate:] () #37 0x00008e94 in runTest (pathOrURL=0xbffff760 "LayoutTests/svg/custom/js-update-bounce.svg") at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:1051 #38 0x00006141 in dumpRenderTree (argc=2, argv=0xbffff62c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:422 #39 0x000062d6 in main (argc=2, argv=0xbffff62c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:459 Current language: auto; currently c++ (gdb)
Attachments
Patch
(1.53 KB, patch)
2007-01-21 18:28 PST
,
Mark Rowe (bdash)
darin
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Darin Adler
Comment 1
2007-01-21 18:28:20 PST
This is a case of missing parentheses. if (ptr < end && *ptr == 'e' || *ptr == 'E') { // read the exponent part The && binds tighter than the ||. Instead we need to put parentheses around the || part of the expression.
Mark Rowe (bdash)
Comment 2
2007-01-21 18:28:57 PST
Created
attachment 12593
[details]
Patch
Darin Adler
Comment 3
2007-01-21 18:30:11 PST
Comment on
attachment 12593
[details]
Patch r=me
Mark Rowe (bdash)
Comment 4
2007-01-21 18:55:31 PST
Landed in
r19021
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug